RE: External Network Logic

• From: "Amy Babinchak" <amy@xxxxxxxxxxxxxxxxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Wed, 7 Dec 2005 20:07:20 -0500

How many hops does that make to the Internet for the Internal network
PC's?

Amy
 
Harbor Computer Services
Small Business Computer Specialists
 
Client Blog: http://smalltechnotes.blogspot.com/
Tech Blog: http://isainsbs.blogspot.com/
Website: http://www.harborcomputerservices.net/
 

 

-----Original Message-----
From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] 
Sent: Wednesday, December 07, 2005 8:06 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: External Network Logic

http://www.ISAserver.org

OK- just so we're on the same page-- I'm not talking about my
back-to-back 
DMZ config that does indeed have a DMZ Perimeter network on the BE ISA
for 
my FE Exchange server.  That's done.

I'm not talking about a NEW box going into my internal network to
physically 
separate client systems from server systems.  That's the one I was
talking 
about having 2 nics with no "External" resources.
t



----- Original Message ----- 
From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, December 07, 2005 4:41 PM
Subject: [isalist] RE: External Network Logic


> http://www.ISAserver.org
>
> This isn't a back-to-back config.  This is a single server going in 
> between my clients and my servers... There won't be a way to "NAT to
the 
> Internet" in that config as the only defined rule will be a route 
> relationship from the Perimeter to the Internal.
>
> I understand the concept that "Internet" is is the default gateway,
but in 
> this case, there can't be a "Nat" relationship anywhere.
> t
>
>
> ----- Original Message ----- 
> From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Wednesday, December 07, 2005 4:25 PM
> Subject: [isalist] RE: External Network Logic
>
>
> http://www.ISAserver.org
>
> No, the Internet is always there, unless you're talking about a
> caponized ISA firewall (single NIC).
>
> The Internet is reached via the NIC with the default gateway defined
on
> it, which in a back to back config would be the internal interface of
> the FE ISA firewall.
>
> There is one point of confusion induced by the UI -- and that's the
> ability to create an "external Network".  There is no difference from
> the firewall's point of view between a perimeter Network and an
external
> Network. So, you can create another external Network if you like, but
> its *exactly the same* as a perimeter network from ISA's
multinetworking
> point of view. The default External Network is always there (except
for
> the unihomed ISA firewall).
>
> For example, if a client on the default Internal Network connects to a
> host on the perimeter network between the ISA firewalls, the
connections
> are routed and the source IP address is not replaced. If a host on the
> default internal Network connects to an IP addresses that is part of
the
> default External Network (which is the Internet) the connection will
be
> NATed.
>
> The ISA firewall's ability to enable control over your route
> relationships really does give you a lot of flexibility.
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
>
>
>
>> -----Original Message-----
>> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
>> Sent: Wednesday, December 07, 2005 5:39 PM
>> To: [ISAserver.org Discussion List]
>> Subject: [isalist] RE: External Network Logic
>>
>> http://www.ISAserver.org
>>
>> One thing though, just so I understand-- How would I NAT to
>> the Internet?
>> There *is no* "Internet" per se in a 2 NIC config with both
>> defined as ISA
>> Firewall Networks, right?  There would be route relationship from the
>> Internal to the DMZ Perimeter.  The Internet would only exist if an
>> Interface was added and not defined elsewhere, correct?
>> t
>>
>> ----- Original Message ----- 
>> From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
>> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
>> Sent: Wednesday, December 07, 2005 3:01 PM
>> Subject: [isalist] RE: External Network Logic
>>
>>
>> http://www.ISAserver.org
>>
>> The default External Network is defined as all addresses that
>> defined by
>> any other ISA firewall Network. So, there is still an
>> external network,
>> you just don't have any access to it, since you've created
>> ISA firewall
>> Networks for both the NIC (one for the default Internal
>> Network and one
>> for the ISA firewall Network representing the perimeter network NIC).
>>
>> You can use this in a number of scenarios, like turning the
>> DMZ between
>> the BE and FE ISA firewall into an ISA firewall Network and creating
a
>> route Network Rule between that and the default Internal Network, but
>> still NAT'ing to the Internet. Pretty slick, eh?
>>
>> Thomas W Shinder, M.D.
>> Site: www.isaserver.org
>> Blog: http://spaces.msn.com/members/drisa/
>> Book: http://tinyurl.com/3xqb7
>> MVP -- ISA Firewalls
>> **Who is John Galt?**
>>
>>
>>
>> > -----Original Message-----
>> > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
>> > Sent: Wednesday, December 07, 2005 4:57 PM
>> > To: [ISAserver.org Discussion List]
>> > Subject: [isalist] External Network Logic
>> >
>> > http://www.ISAserver.org
>> >
>> > So, you've got ISA with 2 NIC's.  You define the Internal
>> > range on one NIC,
>> > leaving the other NIC as "External."  You then add a
>> > perimeter network, and
>> > give it the IP range of what used to be the "External" NIC.
>> > What happens to
>> > the concept of the External network since you now have a
>> > trusted Internal
>> > network and a less trusted "Perimeter" network, but no real
>> > "External"
>> > network anymore.  Will it just be an "empty" network set
>> > sitting there all
>> > alone in the cold, cold ground?
>> >
>> > t
>> >
>> >
>> > ------------------------------------------------------
>> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
>> > ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
>> > ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
>> > ------------------------------------------------------
>> > Visit TechGenix.com for more information about our other sites:
>> > http://www.techgenix.com
>> > ------------------------------------------------------
>> > You are currently subscribed to this ISAserver.org Discussion
>> > List as: tshinder@xxxxxxxxxxxxxxxxxx
>> > To unsubscribe visit
>> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
>> > Report abuse to listadmin@xxxxxxxxxxxxx
>> >
>> >
>>
>> ------------------------------------------------------
>> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
>> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
>> ------------------------------------------------------
>> Visit TechGenix.com for more information about our other sites:
>> http://www.techgenix.com
>> ------------------------------------------------------
>> You are currently subscribed to this ISAserver.org Discussion
>> List as:
>> thor@xxxxxxxxxxxxxxx
>> To unsubscribe visit
>> http://www.webelists.com/cgi/lyris.pl?enter=isalist
>> Report abuse to listadmin@xxxxxxxxxxxxx
>>
>>
>>
>> ------------------------------------------------------
>> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
>> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
>> ------------------------------------------------------
>> Visit TechGenix.com for more information about our other sites:
>> http://www.techgenix.com
>> ------------------------------------------------------
>> You are currently subscribed to this ISAserver.org Discussion
>> List as: tshinder@xxxxxxxxxxxxxxxxxx
>> To unsubscribe visit
>> http://www.webelists.com/cgi/lyris.pl?enter=isalist
>> Report abuse to listadmin@xxxxxxxxxxxxx
>>
>>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:

> thor@xxxxxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:

> thor@xxxxxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> 


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

• » External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic

1. Home
2. isalist
3. Archive
4. 12-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---